NetFlow on OpenWRT

This blog post is for network experimenters who want to export flow records from a small network, such as a home network using an OpenWRT router. Such a network might look like this:

NetFlow_on_OpenWRT

Flow records can be useful for various applications. Here is an example flow record:

Date first seen          Duration Proto      Src IP Addr:Port          Dst IP Addr:Port   Packets    Bytes Flows

2018-08-04 21:31:34.518     0.000 TCP      10.1.1.19:52465 ->          10.1.1.1:22            100     4600     1

Flow records give a coarse-grained view of what traffic is passing over a network, including flow source and destination addresses/protocols/ports, as well as volume information such as packets and bytes.

In this tutorial we use OpenWRT[1], a popular free and open source router operating system, and add the softflowd package to it to generate NetFlow flow records. There are however many other options to achieve the same outcome.

NetFlow is a specification for exporting and collecting flow records. It is superseded by a newer open-standard specification called IPFIX.

We assume that you already have a router running a recent release of OpenWRT and SSH access to the command line on the router.

First step, install the softflowd package:

Start by updating package list:

opkg update

If the update fails, check that DNS is configured on your router, so that it can resolve internet names.

Now, install softflowd:

opkg install softflowd

Example:

# opkg install softflowd
Installing softflowd (0.9.9-2) to root...
Downloading http://downloads.lede-project.org/releases/17.01.4/packages/mips_24kc/packages/softflowd_0.9.9-2_mips_24kc.ipk
Configuring softflowd.

There should now be a config file for softflowd at /etc/config/softflowd.  You’ll need to edit it to suit your requirements. Here is an example where NetFlow version 9 has been enabled on interface br-lan to send to NetFlow collector at 192.168.1.40:9995 with max flow record age of 60 seconds:

# cat  /etc/config/softflowd
config softflowd
        option enabled        '1'
        option interface      'br-lan'
        option pcap_file      ''
        option timeout        'maxlife=60'
        option max_flows      '8192'
        option host_port      '192.168.1.40:9995'
        option pid_file       '/var/run/softflowd.pid'
        option control_socket '/var/run/softflowd.ctl'
        option export_version '5'
        option hoplimit       ''
        option tracking_level 'full'
        option track_ipv6     '0'
        option sampling_rate  '1'

Notes:

  • You should be able to monitor any of the interfaces listed in ifconfig.
  • Running NetFlow will have an impact on the CPU of your router. Check impact by running top
  • The host_port value should be set to the IP address and port number of a NetFlow Collector (to be discussed in a future post)
  • sampling_rate is a denominator, so the default value of 100 will only sample 1 in 100 packets.

Start softflowd:

/etc/init.d/softflowd start

Check softflowd:

# softflowctl dump-flows
softflowd[1700]: Dumping flow data:
ACTIVE seq:1 [0.0.0.0]:0 <> [224.0.0.1]:0 proto:2 octets>:32 packets>:1 octets<:0 packets<:0 start:2018-06-09T03:36:24.488 finish:2018-06-09T03:36:24.488 tcp>:00 tcp<:00 flowlabel>:00000000 flowlabel<:00000000
EXPIRY EVENT for flow 1 in 3572 seconds

If it doesn’t work, check that you have set it to be enabled in the config file.

Statistics can also be shown.

# softflowctl statistics
softflowd[1587]: Accumulated statistics since 2018-08-04T23:16:28 UTC:
Number of active flows: 38
Packets processed: 477496
Fragments: 0
Ignored packets: 315 (315 non-IP, 0 too short)
Flows expired: 375 (0 forced)
Flows exported: 631 in 59 packets (0 failures)
Packets received by libpcap: 477854
Packets dropped by libpcap: 0
Packets dropped by interface: 0

Expired flow statistics:  minimum       average       maximum
  Flow bytes:                  32       1378175      19551484
  Flow packets:                 1          1261         17790
  Duration:                  0.00s        25.91s        75.39s

Expired flow reasons:
       tcp =        72   tcp.rst =         7   tcp.fin =        20
       udp =       143      icmp =        44   general =         6
   maxlife =        83
over 2 GiB =         0
  maxflows =         0
   flushed =         0

Per-protocol statistics:     Octets      Packets   Avg Life    Max Life
           icmp (1):          20720          247      36.36s      70.01s
           igmp (2):            432           12      15.93s      59.45s
            tcp (6):      516731579       472078      41.84s      74.94s
           udp (17):          62891          406       4.93s      75.39s

Note that this version (0.9.9 as of August 2018) of softflowd doesn’t support IPFIX (won’t start if version set to 10). Options can be listed as follows:

# softflowd
-i or -r option not specified.
Usage: softflowd [options] [bpf_program]
This is softflowd version 0.9.9. Valid commandline options:
  -i [idx:]interface Specify interface to listen on
  -r pcap_file       Specify packet capture file to read
  -t timeout=time    Specify named timeout
  -m max_flows       Specify maximum number of flows to track (default 8192)
  -n host:port       Send Cisco NetFlow(tm)-compatible packets to host:port
  -p pidfile         Record pid in specified file
                     (default: /var/run/softflowd.pid)
  -c pidfile         Location of control socket
                     (default: /var/run/softflowd.ctl)
  -v 1|5|9           NetFlow export packet version
  -L hoplimit        Set TTL/hoplimit for export datagrams
  -T full|proto|ip   Set flow tracking level (default: full)
  -6                 Track IPv6 flows, regardless of whether selected
                     NetFlow export protocol supports it
  -d                 Don't daemonise (run in foreground)
  -D                 Debug mode: foreground + verbosity + track v6 flows
  -s sampling_rate   Specify periodical sampling rate (denominator)
  -h                 Display this help

Valid timeout names and default values:
  tcp     (default   3600)  tcp.rst (default    120)  tcp.fin (default    300)
  udp     (default    300)  icmp    (default    300)  general (default   3600)
  maxlife (default 604800)  expint  (default     60)

Congratulations, you now have an OpenWRT router that you can use to export flow records. In the next blog post in this series we talk about setting up a NetFlow Collector to receive the records so that they can be written to disk and analysed.

[1] See: https://openwrt.org/

7 thoughts on “NetFlow on OpenWRT

  1. Gobalakrishnan Viswanathan October 15, 2018 / 5:17 am

    Hi, I am trying Softflowd in Openwrt. I am in need to store netflow traffic data of multiple openwrt devices in ELK stack. Everything is working fine but there is no hostname parameter in netflow data by which i can create Index for each devices in ELK. Is there any possible way to get hostname specific data from softflowd?

    Thanks,
    Gobalakrishnan Viswanathan,

    Like

  2. sagar jain June 17, 2019 / 6:37 pm

    how to collect softflow data ?

    Like

  3. ZombsRoyale.io April 29, 2020 / 4:48 am

    What’s Going down i am new to this, I stumbled upon this I’ve discovered It absolutely helpful and it
    has aided me out loads. I hope to contribute & help other users like its helped me.

    Good job.

    Like

  4. Hikari October 1, 2020 / 11:26 am

    That seems nice, sadly mine reported to not know of any package named softflowd :/

    Like

Leave a Reply to Matt Hayes Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s